January 23, 2013

A hole in Twitter’s security enabled third-party applications to gain access to the direct messages of users who signed in to the apps using their Twitter accounts, said security researcher Cesar Cerrudo.

The chief technology officer of IOActive found the defect while testing a web application still under development — it allowed users to sign in using their Twitter accounts.

He chose to sign in with his Twitter account because he believed the social networking site would prevent the app from being able to access direct messages or see his Twitter password.

“After viewing the displayed web page, I trusted that Twitter would not give the application access to my password and direct messages,” Cerrudo wrote in a blog post. “I felt that my account was safe, so I signed in and played with the application. I saw that the application had the functionality to access and display Twitter direct messages. The functionality, however, did not work, since Twitter did not allow the application to access these messages.”

For the app to gain access, it would have to request proper authorization through the following Twitter web page:

The above page was not displayed to Cerrudo at the time. He had been playing with the app for some time, logging in and out of both it and Twitter to determine its functionality when he discovered the app was displaying all of his direct messages from Twitter.

“This was a huge and scary surprise,” he wrote. “I wondered how this was possible. How had the application bypassed Twitter’s security restrictions? I needed to know the answer.”

He logged in to Twitter to check its application settings. The page said: ‘Permissions: read, write, and direct messages.’

“I couldn’t understand how this was possible, since I had never authorized the application to access my ‘private’ direct messages,” Cerrudo said. “I realized that this was a huge security hole.”

He reported the problem to Twitter on Jan. 16 and it was addressed in less than 24 hours.

“They said the issue occurred due to complex code and incorrect assumptions and validations,” Cerrudo said.

The fix, however, does not appear to be retroactive. The app still had access to Cerrudo’s direct messages until he revoked access personally.

Cerrudo said Twitter’s disclosure policy leaves a lot to be desired — the social network has not issued an alert to its users about the now-fixed security issue.

He said millions of users could be oblivious to the fact that third-party apps had already accessed their private information.

“I love Twitter,” he said. “I use it daily. However, I think Twitter still needs a bit of improvement, especially when it comes to alerting its users about security issues when privacy is affected.”